Fix a stack-protector warning: don't use a variable-length buffer

Instead, define a maximum size, and enforce it with an assertion.

1 files changed, 9 insertions, 2 deletions

diff --git a/src/or/onion.c b/src/or/onion.c
index 4fc5013835..0c88c4d7ee 100644
--- a/src/or/onion.c
+++ b/src/or/onion.c
@@ -521,6 +521,11 @@ onion_skin_create(int type,
   return r;
 }
 
+/* This is the maximum value for keys_out_len passed to
+ * onion_skin_server_handshake, plus 16. We can make it bigger if needed:
+ * It just defines how many bytes to stack-allocate. */
+#define MAX_KEYS_TMP_LEN 128
+
 /** Perform the second (server-side) step of a circuit-creation handshake of
  * type <b>type</b>, responding to the client request in <b>onion_skin</b>
  * using the keys in <b>keys</b>.  On success, write our response into
@@ -563,7 +568,8 @@ onion_skin_server_handshake(int type,
       return -1;
     {
       size_t keys_tmp_len = keys_out_len + DIGEST_LEN;
-      uint8_t keys_tmp[keys_tmp_len];
+      tor_assert(keys_tmp_len <= MAX_KEYS_TMP_LEN);
+      uint8_t keys_tmp[MAX_KEYS_TMP_LEN];
 
       if (onion_skin_ntor_server_handshake(
                                    onion_skin, keys->curve25519_key_map,
@@ -573,9 +579,10 @@ onion_skin_server_handshake(int type,
         /* no need to memwipe here, since the output will never be used */
         return -1;
       }
+
       memcpy(keys_out, keys_tmp, keys_out_len);
       memcpy(rend_nonce_out, keys_tmp+keys_out_len, DIGEST_LEN);
-      memwipe(keys_tmp, 0, keys_tmp_len);
+      memwipe(keys_tmp, 0, sizeof(keys_tmp));
       r = NTOR_REPLY_LEN;
     }
     break;